stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Update compose config, policy simulation, and workflow replay

Browse Source 
- devops/compose: README, docker-compose, hosts updates
- Policy simulation: pre-promotion and test-validate panels,
  routes, dashboard, and spec updates
- Workflow visualization: run-graph replay page template update
- Claude settings update

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
master
2026-03-30 17:26:02 +03:00
parent 260fce8ef8
commit 8536a6c707
11 changed files with 637 additions and 334 deletions
Download Patch File Download Diff File Expand all files Collapse all files

171
devops/compose/README.md
View File

@@ -9,6 +9,9 @@ Consolidated Docker Compose configuration for the StellaOps platform. All profil
| Run the full platform | `docker compose -f docker-compose.stella-ops.yml up -d` |
| Add observability | `docker compose -f docker-compose.stella-ops.yml -f docker-compose.telemetry.yml up -d` |
| Start QA integration fixtures | `docker compose -f docker-compose.integration-fixtures.yml up -d` |
| Start 3rd-party integration services | `docker compose -f docker-compose.integrations.yml up -d` |
| Start GitLab CE (heavy, ~4 GB RAM) | `docker compose -f docker-compose.integrations.yml --profile heavy up -d gitlab` |
| Run integration E2E test suite | See [Integration Test Suite](#integration-test-suite) |
| Run CI/testing infrastructure | `docker compose -f docker-compose.testing.yml --profile ci up -d` |
| Deploy with China compliance | See [China Compliance](#china-compliance-sm2sm3sm4) |
| Deploy with Russia compliance | See [Russia Compliance](#russia-compliance-gost) |
@@ -27,6 +30,7 @@ Consolidated Docker Compose configuration for the StellaOps platform. All profil
| `docker-compose.telemetry.yml` | **Observability**: OpenTelemetry collector, Prometheus, Tempo, Loki |
| `docker-compose.testing.yml` | **CI/Testing**: Test databases, mock services, Gitea for integration tests |
| `docker-compose.dev.yml` | **Minimal dev infrastructure**: PostgreSQL, Valkey, RustFS only |
| `docker-compose.integrations.yml` | **Integration services**: Gitea, Jenkins, Nexus, Vault, Docker Registry, MinIO, GitLab |
### Specialized Infrastructure
@@ -232,6 +236,173 @@ These fixtures are deterministic QA aids only; they are not production dependenc
---
### Third-Party Integration Services
Real 3rd-party services for local integration testing. Unlike the QA fixtures above (which are nginx mocks), these are fully functional instances that exercise actual connector plugin code paths.
```bash
# Start all lightweight integration services (after the main stack is up)
docker compose -f docker-compose.integrations.yml up -d
# Start specific services only
docker compose -f docker-compose.integrations.yml up -d gitea vault jenkins
# Start GitLab CE (heavy — requires ~4 GB RAM, ~3 min startup)
docker compose -f docker-compose.integrations.yml --profile heavy up -d gitlab
# Combine with mock fixtures for full coverage
docker compose \
-f docker-compose.integrations.yml \
-f docker-compose.integration-fixtures.yml \
up -d
```
**Hosts file entries** (add to `C:\Windows\System32\drivers\etc\hosts`):
```
127.1.2.1 gitea.stella-ops.local
127.1.2.2 jenkins.stella-ops.local
127.1.2.3 nexus.stella-ops.local
127.1.2.4 vault.stella-ops.local
127.1.2.5 registry.stella-ops.local
127.1.2.6 minio.stella-ops.local
127.1.2.7 gitlab.stella-ops.local
```
**Service reference:**
| Service | Type | Address | Credentials | Integration Provider |
|---------|------|---------|-------------|---------------------|
| Gitea | SCM | `http://gitea.stella-ops.local:3000` | Create on first login | `Gitea` |
| Jenkins | CI/CD | `http://jenkins.stella-ops.local:8080` | Setup wizard disabled | `Jenkins` |
| Nexus | Registry | `http://nexus.stella-ops.local:8081` | admin / see `admin.password` | `Nexus` |
| Vault | Secrets | `http://vault.stella-ops.local:8200` | Token: `stellaops-dev-root-token-2026` | — |
| Docker Registry | Registry | `http://registry.stella-ops.local:5000` | None (open dev) | `DockerHub` |
| MinIO | S3 Storage | `http://minio.stella-ops.local:9001` | `stellaops` / `Stella2026!` | — |
| GitLab CE | SCM+CI+Registry | `http://gitlab.stella-ops.local:8929` | root / `Stella2026!` | `GitLabServer` |
**Credential resolution:** Integration connectors resolve secrets via `authref://vault/{path}#{key}` URIs. The Integrations service resolves these from Vault automatically in dev mode. Store credentials with:
```bash
export VAULT_ADDR=http://vault.stella-ops.local:8200
export VAULT_TOKEN=stellaops-dev-root-token-2026
vault kv put secret/harbor robot-account="harbor-robot-token"
vault kv put secret/github app-private-key="your-key"
vault kv put secret/gitea api-token="your-gitea-token"
vault kv put secret/gitlab access-token="glpat-your-token"
vault kv put secret/jenkins api-token="user:token"
vault kv put secret/nexus admin-password="your-password"
```
**Backend connector plugins** (8 total, loaded in Integrations service):
| Plugin | Type | Provider | Health Endpoint |
|--------|------|----------|-----------------|
| Harbor | Registry | `Harbor` | `/api/v2.0/health` |
| Docker Registry | Registry | `DockerHub` | `/v2/` |
| Nexus | Registry | `Nexus` | `/service/rest/v1/status` |
| GitHub App | SCM | `GitHubApp` | `/api/v3/app` |
| Gitea | SCM | `Gitea` | `/api/v1/version` |
| GitLab | SCM | `GitLabServer` | `/api/v4/version` |
| Jenkins | CI/CD | `Jenkins` | `/api/json` |
| InMemory | Testing | `InMemory` | — (hidden) |
**Advisory fixture endpoints** (for advisory sources that are unreachable from Docker):
| Service | Hostname | Port | Mocked Sources |
|---------|----------|------|----------------|
| Advisory fixture | `advisory-fixture.stella-ops.local` | 80 | CERT-In, FSTEC BDU, VEX Hub, StellaOps Mirror, Exploit-DB, AMD, Siemens, Ruby Advisory DB |
**IP address map:**
| IP | Service | Port(s) |
|----|---------|---------|
| 127.1.1.6 | harbor-fixture | 80 |
| 127.1.1.7 | github-app-fixture | 80 |
| 127.1.1.8 | advisory-fixture | 80 |
| 127.1.2.1 | gitea | 3000, 2222 |
| 127.1.2.2 | jenkins | 8080, 50000 |
| 127.1.2.3 | nexus | 8081, 8082, 8083 |
| 127.1.2.4 | vault | 8200 |
| 127.1.2.5 | docker-registry | 5000 |
| 127.1.2.6 | minio | 9000, 9001 |
| 127.1.2.7 | gitlab (heavy) | 8929, 2224, 5050 |
For detailed setup instructions per service, see [`docs/integrations/LOCAL_SERVICES.md`](../../docs/integrations/LOCAL_SERVICES.md).
### Integration Test Suite
A Playwright-based E2E test suite validates the full integration lifecycle against the live stack. It covers 5 areas:
| Area | What it tests |
|------|--------------|
| Compose Health | All fixture + service containers are running and healthy |
| Endpoint Probes | Direct HTTP to each 3rd-party service (Harbor, Gitea, Jenkins, Nexus, Vault, Registry, MinIO) |
| Connector Lifecycle | Create integrations via API, verify auto-activation, test-connection, health-check, cleanup |
| Advisory Sources | All 74 advisory & VEX sources report healthy |
| UI Verification | Hub counts, per-tab list views, tab switching |
**Prerequisites:**
```bash
# 1. Main stack must be running
docker compose -f docker-compose.stella-ops.yml up -d
# 2. Start integration fixtures (mock endpoints)
docker compose -f docker-compose.integration-fixtures.yml up -d
# 3. Start real 3rd-party services
docker compose -f docker-compose.integrations.yml up -d
# 4. (Optional) Start GitLab for full SCM coverage
docker compose -f docker-compose.integrations.yml --profile heavy up -d gitlab
```
**Run the test suite:**
```bash
cd src/Web/StellaOps.Web
# Run all integration tests
E2E_RUN_ID=$(date +%s) \
PLAYWRIGHT_BASE_URL=https://stella-ops.local \
npx playwright test --config=playwright.integrations.config.ts
# Run a specific test group
E2E_RUN_ID=$(date +%s) \
PLAYWRIGHT_BASE_URL=https://stella-ops.local \
npx playwright test --config=playwright.integrations.config.ts \
--grep "Compose Health"
# Run with verbose output
E2E_RUN_ID=$(date +%s) \
PLAYWRIGHT_BASE_URL=https://stella-ops.local \
npx playwright test --config=playwright.integrations.config.ts \
--reporter=list
```
**Environment variables:**
| Variable | Default | Purpose |
|----------|---------|---------|
| `PLAYWRIGHT_BASE_URL` | `https://stella-ops.local` | Target Stella Ops instance |
| `E2E_RUN_ID` | `run1` | Unique suffix for test integration names (avoids duplicates across runs) |
| `STELLAOPS_ADMIN_USER` | `admin` | Login username |
| `STELLAOPS_ADMIN_PASS` | `Admin@Stella2026!` | Login password |
**Key files:**
| File | Purpose |
|------|---------|
| `src/Web/StellaOps.Web/playwright.integrations.config.ts` | Playwright config (no dev server, live stack) |
| `src/Web/StellaOps.Web/tests/e2e/integrations/integrations.e2e.spec.ts` | Test suite (35 tests) |
| `src/Web/StellaOps.Web/tests/e2e/integrations/live-auth.fixture.ts` | Real OIDC login fixture |
| `src/Web/StellaOps.Web/e2e/screenshots/integrations/` | Test screenshots |
**Note:** Unlike the mocked E2E tests in `tests/e2e/` and `e2e/`, this suite performs real OIDC login and hits the live API. It requires all services to be running and healthy.
---
## Regional Compliance Deployments
### China Compliance (SM2/SM3/SM4)